Authenticated User Permissions Are Removed

In a locked-down Active Directory environment, authenticated user access control entries (ACEs) are removed from the default Active Directory containers, including the Users, Configuration or System, and organizational units (OUs) where User and Computer objects are stored. Removing authenticated user ACEs prevents read access to Active Directory information. However, removing the ACEs creates issues for Lync Server 2010 because it depends on read permissions to these containers to allow users to run domain preparation.

In this situation, membership in the Domain Admins group, which is required to run domain preparation, server activation, and pool creation, no longer grants read access to Active Directory information stored in the default containers. You must manually grant read-access permissions on various containers in the forest root domain to check that the prerequisite forest preparation procedure is complete.

To enable a user to run domain preparation, server activation, or pool creation on any non-forest root domain, you have the following options:

Use an account that is a member of the Enterprise Admins group to run domain preparation

Use an account that is a member of the Domain Admins group and grant this account read-access permissions on each of the following containers in the forest root domain:

Domain

Configuration or System

If you do not want to use an account that is a member of the Enterprise Admins group to run domain preparation or other Setup tasks, explicitly grant the account you want to use read access on the relevant containers in the forest root.